Advanced Tutorial: Man in the Middle Attack Using SSL Strip – Our Definitive Guide

November 19, 2010 by Keatron Evans

We got a lot of great feedback from our first Man in the Middle Video so we decided to double-down and give you guys some really juicy MitM demos and analysis. Our Ethical Hacking students have been really excited about this one during classes, so I wanted to share some of the good stuff here.

This one shows how to use SSLStrip with a MitM attack. We first give a demo of the attack and in the next two videos you can really gain an understanding and the practical knowledge of how it functions.

If you want to follow along, everything is really within BackTrack4, but the individual tools/techniques/software you’ll need are:




Posted: November 19, 2010
Keatron Evans
View Profile

Keatron Evans is regularly engaged in training, consulting, penetration testing and incident response for government, Fortune 50 and small businesses. In addition to being the lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish, you will see Keatron on major news outlets such as CNN, Fox News and others on a regular basis as a featured analyst concerning cybersecurity events and issues. For years, Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development. Keatron also provides world-class training for the top training organizations in the industry, including Infosec Skills live boot camps and on-demand training.

27 responses to “Advanced Tutorial: Man in the Middle Attack Using SSL Strip – Our Definitive Guide”

  1. Aaron Klutz says:

    This is freaking awesome! I’d heard about being able to do this, but this is the first time I’ve ever seen it proven. Keatron I’m in Chicago. Do you do classes here?

  2. ‘@Aaron. Yes we do classes in Chicago all the time after all we’re based in the area! What type of class are you looking for? You can start by looking at our course catalog, then come back here and discuss.


  3. Matt says:

    Just came across your site/videos and I like them a lot; keep them up!!

  4. Gary Fisher says:

    So for the next video, can you show us how to detect that there is a man in the middle, or a security technique where a man can not get into the middle?

  5. Keatron says:

    ‘@Gary. No problem.

  6. Pieface says:

    “So for the next video, can you show us how to detect that there is a man in the middle, or a security technique where a man can not get into the middle?”


    id like to see counter measure video if possible.


  7. Keatron says:

    ‘@Pieface and Gary. Working on something for it guys. Thanks.

  8. Kateter says:

    Why is the client redirected to HTTP instead of HTTPS? Will there be additional SSL warning pop-ups if the client keeps the SSL-session to the SSL Strip box, that decrypts it with the certificate that was presented and then establishes a new SSL-session to yahoo.com instead of redirecting the client to a HTTP-page? It would still be possible to capture the content and the client keeps the HTTPS url?

  9. Keatron says:

    The way it works is it picks out HTTP traffic from port 80 and then packet forwards onto a different port (10,000 in this case).
    SSLStrip is at the same time listening on that port and removes the SSL connection before passing it back to the user.
    Ettercap then picks out the username & password.

    Yes, there would be an additional SSL warning that says this certificate cannot be validated or something of that nature. Whether or not the victim gets that message depends on the browser they’re using, how the browser is configured, etc. Using this method takes that possibility out of the equation completely.

  10. Joel Carlson says:

    I don’t think this information is completely correct. SSLStrip does not certificate chain by signing a valid certificate from a leaf certificate. It just redirects a https to an http thus removing the need for certificates, at least for the client to mitm session. Everything else appears correct. The automatic leaf signing use to be done by sslsniff, however, that doesn’t work any more since nowadays most browsers check the basicconstraints which verify the entire chain. Correct me if I am wrong. The guy who created sslstrip has a great explaination in his blackhat 2009 whitepaper.

  11. Zacharius says:

    i might have to take a trip to Chi for a class…im at ITT and im learning this aswell…very interesting and great video!

  12. ronnie short says:

    great video so you do classes what about online ?

  13. DJ says:

    I think this is fantastic. I’ve been getting Cisco certifications and am relatively new to the network security realm. I wanted to thankyou for spending the time to compile this site; and wanted to ask you how long you have been researching and experimenting with pen testing to become so good.

  14. Keatron Evans says:

    ‘@DJ. I’ve been experimenting since I was 13 or 14. Been doing this professionally about 14 years.

  15. Keatron Evans says:

    ‘@Ronnie. Check out our online courseware offerings. Just go to our main website www dot infosecinstitute dot c0m then select the online courses link.

  16. Amnesiac says:

    hi, i tried everything in this post, even tried different posts but i cant get the sslstrip program to capture anything, it runs fine, i have set my iptables and ports, arpspoof’s working and i also use ettercap, but when i get to the point of actually getting the packets i get nothing, i just get this:

    “sslstrip 0.9 by Moxie Marlinspike running…”

    and it doesnt capture anything. Any ideas??? Im using backtrack 5.

  17. kyubi says:

    hello sir.. i was thinking.. how could you then bring back the original settings of the IPtables after you have stop doing all the MITM attack thing.. will it auto set it self to default after you stop doing the MITM attack.. thanks please response..

  18. kyubi says:

    ‘@Amnesiac : you have to check on the file “ssstrip.log”.. try typing “tail -f sslstrip.log” in the terminal

  19. Ananya Sethi says:

    performed the steps exactly as mentioned. But the response to
    #arpspoof -t
    arpspoof: couldn’t arp for host

    also i m using ubuntu and there is no file etter.conf in path mentioned so cudn’t modify that too.

  20. Steven says:

    To the people having trouble: The most obvious reason of why is because this video should have been trashed and redone, there are so many mistakes, breeze-overs of important aspects, and not to mention the authentication attempts he makes in the video aren’t even using SSL!! just HTTP, you can even see this in his ettercap output near the end.
    I will make a video that clearly documents how to edit your etter.conf file (btw, ananya it should be located at /etc/etter.conf if it isn’t there I would re-configure ettercap via dpkg) how to add (and REMOVE) needed changes to IPTABLES, as well as show you how to write these steps into a script using variables for your target, instead of having 9 term-emus open.

  21. keatron says:

    Ananya, make sure you can actually ping the target ip’s. Usually when you can’t arp them it’s because you can’t communicate with them.

    Kyubi, you can comment out the rule you added. You can also remove it by entering the exact command again, but add the -D option. You can also do iptables -L -n -v –line to see a list of rules. Then once you find the line you added, enter iptables -D (number of the line which is your rules).

  22. George says:

    Hey this is awesome man. Keep up the good work. Wonderfull

  23. Richard Arnold says:

    Excellent video. I have been trying to conduct this on my own but I have no luck finding arp spoof on the net. The one that I found was a rar file. I am not sure on how to load that successfully. Can you advs.

    Richard Arnold

  24. Peter Andrews says:

    Is there a workaround if we don’t have a trusted certificate to issue leaves from?

  25. Vaskez says:

    Hi Keatron – or anyone that can answer. Very nice videos, but I don’t quite understand one of the steps in the EXPLANATION OF HOW IT WORKS PART 1: video. I understand certificate chaining, but why would the client accept a certificate for e.g. google.com.infosecinstitute.com when it wants to get to google.com? So even if SSLstrip issues a fake valid certificate, why would it get accepted when the name doesn’t exactly match? Even if the browser’s set up to match & accept *.google.com – it’d still have to END in google.com and have google.com as the top-level domain, no? what am I missing, why is the certificate accepted from the MITM? thanks a lot

  26. Vaskez says:

    Ah, I just saw one of your other comments – maybe the certificate ISN’T automatically accepted by the client, the method relies on the client just clicking through OK and not worrying about warning messages about the certificate? correct?

  27. crazyred says:

    Hello keatron, i want to study your class for Backtrack 5 . can i study from internet?

Leave a Reply

Your email address will not be published.